Over the years, the routing features of OpenVPN have expanded. Most notably, there are quite a few options for the redirect-gateway
directive, as well as several other less well-known routing directives:
redirect-private
: This option behaves very similar to the redirect-gateway
directive, especially when the new parameters are used, but it does not alter the default gateway.allow-pull-fqdn
: This allows the client to pull DNS names from the OpenVPN server. Previously, only IP addresses could be pushed or pulled. This option cannot be pushed and needs to be added to the client configuration itself.route-nopull
: All the options are pulled by a client from the server, except for the routing options. This can be particularly handy when troubleshooting an OpenVPN setup.max-routes n
: This defines the maximum number of routes that may be defined or pulled from a remote server.In this recipe, we will focus on the redirect-private
directive and its parameters, as well as the allow-pull-fqdn
parameter.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-Side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe from Chapter 2, Client-server IP-only Networks.
basic-udp-server.conf
file:push "redirect-private bypass-dhcp bypass-dns" push "route server.example.com"
example10-10-server.conf
.[root@server]# openvpn --config example10-10-server.conf
basic-udp-client.ovpn
, and save it as example10-10.ovpn
:allow-pull-fqdn
If the DHCP or DNS server was on a different subnet than the client itself, then a new route will have been added. This is to ensure that DHCP requests still go to the local DHCP server and are not sent over the VPN tunnel.
A route for the host server.example.com
will have been added.
The bypass-dhcp
and bypass-dns
options for the directives, redirect-gateway
and redirect-private
, cause the OpenVPN client to add an extra route to the DHCP and DNS servers if they are on a different network. In large-scale networks, the DNS server is often not found on the local subnet that the client is connected to. If the route to this DNS server is altered to go through the VPN tunnel after the client has connected, this will cause at the very least a serious performance penalty. More likely, the entire DNS server will become unreachable.
The allow-pull-fqdn
directive enables the use of a DNS name instead of an IP address when specifying a route. Especially, if a dedicated route to a host with a dynamic IP address needs to be made, this is very useful.
Note that the allow-pull-fqdn
directive cannot be pushed from the server.
Apart from the directives explained in this recipe, there are more routing directives available to control if and how routes are added to the client.
The route-nopull
directive causes the client to pull all the information from the server but not the routes. This can be very useful for debugging a faulty server setup. It does not mean that no routes are added at all by the OpenVPN client. Only the routes that are specified using push "route"
will be ignored. Starting with OpenVPN 2.4, it is also possible to filter out options that are pushed from the server to the client. The next recipe will go into detail on this.
The max-routes
directive is introduced in OpenVPN 2.1, as version 2.1 allows an administrator to push many more routes when compared to OpenVPN 2.0. To prevent a client from being overloaded with routes, the option max-routes n
is added, where n
is the maximum number of routes that can be defined in the client configuration file and/or can pulled from the server.
The default value for this parameter is 100
.
3.12.147.77